Sweden's Google probe over location tracking seen testing GDPR cooperation

As Google nears a deadline to respond to a Swedish probe into whether its collection of users' location data complies with EU rules, doubts have surfaced over which regulator should handle the cross-border investigation.

Last November, the US tech company was hit with coordinated data-privacy complaints by national consumer watchdogs in seven European countries — the Czech Republic, Greece, the Netherlands, Norway, Poland, Slovenia and Sweden.

The groups contest Google's policy over serving users of its Android platform with location-specific advertising by tracking their movements through its “location history” and “web & app activity” features. They say the company doesn't act transparently and has breached the EU's General Data Protection Regulation.

Sweden's data-protection regulator announced an investigation into the complaint by the Swedish Consumers' Association on Jan. 21, but Ireland's watchdog has also followed up on the complaints, saying other authorities had referred them to it. The Czech authority has said Ireland should take the lead, but other watchdogs have said they are cooperating with ongoing investigations.

The issue could potentially cause friction between the Swedish and Irish regulators, and presents an early test of how EU countries work together to coordinate cross-border probes under the GDPR, which only came into force last May.

Taking the lead

The confusion about which regulator gets to lead the probe stems from the fact that Google only formally named Ireland as its European base for data-processing purposes on Jan. 22.

Under the GDPR, investigations into privacy violations affecting individuals in more than one EU country come under a "one-stop shop" regulatory mechanism where a probe is spearheaded by the data protection authority, or DPA, in the nation where the company is based, known as its place of "main establishment."

Any probe started on or after Jan. 22 would thus be led by the Irish Data Protection Commission. But because Google's move came one day after the Swedish Data Protection Authority announced its investigation on Jan. 21, the Irish regulator doesn’t have automatic jurisdiction.

"Sweden wouldn't act on the complaint if we didn't think that we were competent," Olle Pettersson, a legal adviser on the case at the Swedish DPA, told MLex in a telephone interview. 

"I can understand the view that [companies] want to have only dealings with one DPA; that's the idea of the one-stop shop and main establishment," Pettersson said. "But there is only one DPA doing the investigation here. You have one talking partner."

Pettersson cited the case of French data watchdog CNIL, which was able to investigate Google. Last month it imposed a fine of 50 million euros ($55 million) on it for GDPR violations over the way the company seeks consent from users to send them personalized ads.

"We have cooperated, contacted our colleagues, just like the CNIL, especially Ireland," Pettersson said. He added the Swedish regulator wanted to conclude its investigation quickly, saying that prolonging it would be bad for Google, other companies, individuals and the regulator itself.

The Swedish authority has given Google a deadline of Feb. 15 to provide an answer and evidence in response to the complaint. It confirmed to MLex today that the company has not yet responded. 

Speaking to MLex, however, the Irish authority signaled that it wanted a role in running any investigation. A spokeswoman said the regulator would work with its counterparts "in the coming weeks" to decide "how best and effectively to move forward investigation of the issues raised.” She said "a number of DPAs" had referred the consumer groups’ complaints to it.

The Irish authority had sought information from Google as soon as seeing reports about the complaints, she said. "Google continues to provide the DPC with detailed information. . . . Since Jan. 22, the DPC has been the lead supervisory authority for Google, which means the general position is that all complaints in respect of Google since then will be handled by the DPC as [lead supervisory authority].

Other regulators

DPAs in other countries involved in the complaints have mixed reactions to how any investigation should progress.

The Czech watchdog has said Ireland should lead. In a statement on Jan. 17 about the complaint made by Czech consumer group dTest, it said: "The Czech office — in accord with other supervisory authorities — informed the Irish Data Protection Commissioner about the complaint. The Irish office should become the lead supervisory authority for these data-processing operations by Google." Regulators in the other EU countries should act as "concerned" authorities and provide input into the main probe.

But Greece's data regulator told MLex it was "investigating the complaint in cooperation with our EU counterparts." Similarly, The Slovenian watchdog told MLex it would "be looking into the matter in line with our competencies and will be actively cooperating on this issue with our EU counterparts."

The Norwegian regulator told MLex it was important to have a "harmonized and unified approach," and said all concerned authorities had been in contact with each other. But it added: "The case may likely be handled pursuant to the 'one-stop shop' set out by the GDPR," with the DPA of Google's main establishment in Europe investigating.

German action

Google could, in addition, soon face a lawsuit in a Berlin court from the Federation of German Consumer Organizations, or VZBV, which is preparing a claim against the company for privacy infringements on the same grounds as the complaints by the other national consumer groups.

The VZBV told MLex it would base its claim on infringements of not obtaining informed and specific consent on location services, and lack of information about the extent of the intended use of location services.